Carrier IQ Smartphone Keylogging Rootkit: "just testing"?

[Ahtiga Saraz]

A while back, after studying the tortuous languge of US laws such as the so-called "Patriot Act" [sic], I speculated that much of the most intrusive universal population surveillance in the USA is conducted under the transparent legal guise of an (eternal) "test of the equipment".

A recent and widely reported news story, concerning a keylogger made by a California, US spyco, Carrier IQ, which is apparently very widely deployed without the knowledge or consent of consumers in Androids, Blackberries, EVOs, and iPhones (but maybe not Windows phones!), may provide further evidence supporting such speculations:

• (Long and detailed) untitled blog post, Android Police, 4 October 2011

  Code: Select all

  http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/
  

  Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev's findings deep inside HTC's latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.... In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in. That is not the case. What Trevor found is only the tip of the iceberg...currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

  Two points here: (i) Carrier IQ is logging vast amounts of personal information without the knowledge or consent of consumers, who do not even have an "opt-out". (ii) They appear to have made no attempt to prevent others from accessing all the data they forcibly collect. Consumers might not have known about the Carrier IQ logs until Trevor Eckart's revelations--- but information stealing crooks and private investigators probably did.
• Carrier IQ defends against Android rootkits accusation
  Handset makers and carriers to blame
  Lawrence Latif, The Inquirer, 17 November 2011

  Code: Select all

  www.theinquirer.net/inquirer/news/2125853/carrier-iq-defends-android-rootkits-accusation
  

  Carrier IQ, which claims to provide 'mobile intelligence', has been accused of supplying rootkits that track user interactions on smartphones. Carrier IQ's software is found on many operating systems including Google's Android and records application runtimes, media playback, location satistics and when calls are received.

• Android researcher: Carrier IQ 'diagnostic' tool really a rootkit spy
  Elinor Mills, CNET News, 17 November 2011

  Android developer Trevor Eckhart recently noticed something odd on several EVO HTC devices: hidden software that phoned home to the carrier with details about how the phone was being used and where it was. The software, Carrier IQ, tracked the location of the phone, what keys were pressed, which Web pages were visited, when calls were placed, and other information on how the device is used and when.

• Mobile ‘Rootkit’ Maker Tries to Silence Critical Android Dev
  David Kravets, Wired, 22 November 2011

  Code: Select all

  http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/
  

  A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website. Though the software is installed on millions of Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user’s phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent... Eckhart called the software a “rootkit,” a security term that refers to software installed at a low-level on a device, without a user’s consent or knowledge in order to secretly intercept the device’s workings. ... the Electronic Frontier Foundation announced it had came to the assistance of the 25-year-old Eckhart of Connecticut, whom Carrier IQ claims has breached copyright law for reposting the manuals.

  (The manuals were available to all at Carrier IQ's own website!) When Kravets asked a Carrier IQ spokesman about the capabilities of its spyware, he was told

  He said the company’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.” “We’re not looking at texts. We’re counting things. How many texts did you send and how many failed. That’s the level of metrics that are being gathered,” he said. He answered “probably yes” when asked whether the company could read the text messages if it wanted.

  See "encoded text (not sure yet if it's possible to decode it, but very likely)" in the previous item. IMO, installing a "keylogging rootkit for the purpose of spying" appears to be a reasonable description of what Carrier IQ is doing to millions of consumers. How can that possibly be legal, even in the USA? The answer, I speculate, may be that this is yet another "public-private partnership" in which the government ignores illegal secret data collection, so long as it gets free access to all that data.

  In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission.

• Carrier IQ sends a stiff letter to a security researcher
  Not happy with its own documents
  Lawrence Latif, The Inquirer, 22 November 2011

  Code: Select all

  www.theinquirer.net/inquirer/news/2126899/carrier-iq-sends-stiff-letter-security-researcher
  

  SECURITY RESEARCHER Trevor Eckhart has received a cease and desist letter from Carrier IQ following his investigation into firm's mobile phone analytics software.... The Electronic Frontier Foundation (EFF), which represents Eckhart, published a letter it sent to Carrier IQ's lawyers arguing that the publication of training documents is "classic fair use and, therefore, non-infringing". The EFF continued by saying that the dissemination of information was in the public interest.

• Data logging outfit tries to silence whistleblower
  Threatens to sue
  Nick Farrell, Tech Eye, 23 November 2011

  Code: Select all

  news.techeye.net/security/data-logging-outfit-tries-to-silence-whistleblower
  

  A data logging outfit is trying to silence an Android developer who blew the whistle on its software that is secretly installed on millions of phones.... Carrier IQ was furious at his pronouncements and... issued a cease-and-desist notice, saying Eckhart was in breach of copyright law and could face damages of as much as $150,000, the maximum allowed under US copyright law per violation. The company removed the manuals from its own website and is demanding that he stop calling its product a rootkit...the legal threat was a bullying technique to get Eckhard to shut up.Marcia Hofmann, an EFF senior staff attorney, said the civil rights group has decided that "Carrier IQ's real goal is to suppress Eckhart's research and prevent others from verifying his findings."

• Software maker sorry for trying to silence security researcher
  Withdraws legal threats over mobile 'rootkit' claims
  Dan Goodin, The Register, 24 November 2011

  Code: Select all

  http://www.theregister.co.uk/2011/11/24/carrier_iq_about_face/
  

  In a statement issued on Wednesday, Mountain View, California-based Carrier IQ apologized to Trevor Eckhart for threatening to sue him for publishing training manuals he said supported his rootkit characterization. The about face came a few days after the Connecticut-based Android developer received legal support from the Electronic Frontier Foundation, which asserted his postings were protected by the US Constitution's First Amendment.... Eckhart's posting claimed that Carrier IQ software was able to log detailed information on millions of phones powered by Google's Android, Research in Motion's Blackberry, and Nokia operating systems. A user's GPS coordinates, key taps, and websites visited were just some of the details phone makers and carriers used the software to track, he claimed. Eckhart also objected to the lack of disclosure given to handset owners that their devices contained the software. In some cases, he said, Carrier IQ versions were modified so phones showed no signs the software was installed and running. That led to claims Carrier IQ was no different than rootkits installed to secretly track and control devices.

• Carrier IQ apologises to security researcher and withdraws cease and desist letter
  Sees the error of its ways
  Lawrence Latif, The Inquirer, 24 November 2011

  Code: Select all

  www.theinquirer.net/inquirer/news/2127559/carrier-iq-apologises-security-researcher-withdraws-cease-desist-letter

  MOBILE ANALYTICS FIRM Carrier IQ has withdrawn its cease and desist letter to security researcher Trevor Eckhart following intervention by the Electronic Frontier Foundation (EFF)... Being fair to Carrier IQ, it isn't the only company that provides mobile analytics software, and it was the handset makers and mobile operators that chose to load the software onto handsets. Some third party Android distributions such as Cyanogenmod claim to have removed Carrier IQ's software completely.

• Carrier IQ Video Shows Alarming Capabilities Of Mobile Tracking Software
  Devin Coldewey, Techcrunch, 29 November 2011

  Code: Select all

  techcrunch.com/2011/11/29/carrier-iq-video-shows-alarming-capabilities-of-mobile-tracking-software/
  

  You may be aware of the growing controversy surrounding Carrier IQ, a piece of software found pre-installed on Sprint phones that, according to developers who have investigated, is capable of detecting, recording, and transmitting various user actions and inputs. Among the data CIQ potentially has access to are location, SMS, apps, and key presses... News of the software has been percolating for months on development forums, but when Trevor Eckhart recently summarized his findings, he found himself facing a cease and desist while Sprint vigorously denied the charges, saying “We do not and cannot look at the contents of messages, photos, videos, etc., using this tool.”

  Sprint does not, because it hires CarrierIQ to do that, yes?
• Android handsets secretly logging keystrokes, SMS messages?
  Don Reisinger, CNET News, 30 November 2011

  Carrier IQ [attempted] to clarify what its software doesn't do, including record keystrokes, provide tracking tools, or inspect "the content of e-mails and SMSs." The company also argued that its software does not "provide real-time data reporting to any customer." But Eckhart's new video seems to refute at least some of those claims. In one part of the clip, he shows how an entire SMS message--"hello world"--was recorded by Carrier IQ's software. In another example, he demonstrates how a Google search, his location, and other key information is recorded by Carrier IQ's application, even though he was on Wi-Fi and a page secured by HTTPS. "The Carrier IQ application is receiving not only HTTP strings directly from browser, but also HTTPs strings," Eckhart wrote in a blog post. "HTTPs data is the only thing protecting much of the 'secure' Internet. Queries of what you search, HTTPs plain text login strings (yuck, but yes), even exact details of objects on page are shown in the JS/CSS/GIF files above--and can be seen going into the Carrier IQ application." Perhaps most troublesome is that users don't know where their information is going or how it's being used.

• BUSTED! Secret app on millions of phones logs key taps
  Researcher says seeing is believing
  Dan Goodin, The Register, 30 November 2011

  Code: Select all

  www.theregister.co.uk/2011/11/30/smartphone_spying_app/
  

  Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he had reset to factory settings just prior to the demonstration. Using a packet sniffer while his device was in airplane mode, he demonstrated how each numeric tap and every received text message is logged by the software. Ironically, he says, the Carrier IQ software recorded the “hello world” dispatch even before it was displayed on his handset.... In an interview last week, Carrier IQ VP of Marketing Andrew Coward rejected claims the software posed a privacy threat because it never captured key presses... Coward went on to say that Carrier IQ was a diagnostic tool designed to give network carriers and device manufacturers detailed information about the causes of dropped calls and other performance issues.

  So they "need" to "test" everyone's cell phone transmissions 365/24/60/60? Really? Really?

  Eckhart said he chose the HTC phone purely for demonstration purposes. Blackberrys, other Android-powered handsets, and smartphones from Nokia contain the same snooping software, he claims.

I should ruefully acknowledge that many smart phones use operating systems based upon stripped down versions of Linux developed to run smart devices.

[62chevy]

Most phones now days has GPS that can track you 24/7 as long as it has power. The same with On Star and other such devices for your car. The only way to disable the GPS in your phone is to remove the battery. On Star will work no matter what you do because you can't disable it, even if you don't sign up for the service they can track you and tell the Cops where you have been and how fast you were driving.

[Ahtiga Saraz]

@ 62chevy:

That's all true, but I may not have sufficiently stressed how much more intrusive is the Carrier IQ surveillance than any of the things you mentioned. This rootkit is

• hidden from all but the most tech-savvy users
• effectively uninstallable (but some telecoms claim to have uninstalled it following Eckhart's revelations)
• logs not only geolocation, ingoing/outgoing calls and text messages but also
  • the content of SMS text messages
  • search terms
  • contact list and other sensitive personal information
  • web-browsing log
  • which phone features are accessed when, even individual keystrokes
  • pre-encrypted content of ssl encrypted packets (such as bank account balance when you use your phone to do on-line banking)

Even worse, it is said to expose all this information to virtually any other app, very possibly including criminal spyware. Most of this information appears to have nothing to do with "diagnostics for troubleshooting dropped calls", and Sprint and other carriers which have issued vigorous denials of spying have not explained why telecoms supposedly need to engage is such intrusive "diagnosis" 365/24/60/60.

Because it is so widely deployed, the Carrier IQ snooping is now said to affect tens of millions of smart phones worldwide, and as further details emerge, even hardened techie reporters have been expressing shock and outrage.

The keylogging rootkit apparently goes by different names and lives in different locations, depending upon which brand of smart phone you use. Telecoms all over the world, and smart phone vendors such as RIM, have been falling all over themselves claiming that they have nothing to do with Carrier IQ, and preliminary evidence suggests that the USA and UK may use different spycos for "diagnostics" [sic]. Reporters have quite properly treated the denials of Carrier IQ itself with contempt; apparently seeing Eckhart's video is believing!

• BUSTED TWO: Carrier IQ monitor-ware on iPhones too?
  Chpwn finds agent in /usr/bin
  Richard Chirgwin, The Register, 1 December 2011

  Code: Select all

  www.theregister.co.uk/2011/12/01/ios_has_carrier_iq_client/
  

  logger and iPhone hacker Chpwn believes that the controversial Carrier IQ software isn’t confined to Android devices...a look at the /usr/bin folder reveals Carrier IQ’s agent software, identified as IQAgent in iOS 3, and either awd_ice2 or awd_ice3 on iOS 4 or iOS 5 devices.... Chpwn believes the daemon does not have access to the UI layer, which means it may not be able to capture the kind of data exposed in Android devices.... he is not certain the software is launched except when the phone is in diagnostic mode, the discovery is certain to add further momentum to the fury mounting at Carrier IQ’s surreptitious installation on consumer devices. After denials by Carrier IQ that it was recording user behaviour in real time, Trevor Eckhart posted a video demonstrating that the company’s software was catching Eckhart’s taps, including searches sent to SSL (secure sockets layer) servers.

• Legal row over Carrier IQ 'surveillance' app claims
  Mr Eckhart demonstrated his findings via a video on YouTube
  BBC News, 1 December 2011

  Code: Select all

  www.bbc.co.uk/news/technology-15982225
  

  Mr Eckhart claimed Carrier IQ was buried deep in the core code for a smartphone to prevent it being found and, on some phones, was customised to prevent users changing what it logged. In some cases, he said, only those with "advanced skills" would be able to find it.

• So, there's a rootkit hidden in millions of cellphones
  Adrian Kingsley-Hughes, ZDNET, 1 December 2011

  Code: Select all

  www.zdnet.com/blog/hardware/so-theres-a-rootkit-hidden-in-millions-of-cellphones/16708
  

  So, it seems that there is a rootkit hidden in millions of Android, Symbian, BlackBerry, webOS and even iOS handset that logs everything we do. WHAT?!?!?! The rootkit belongs to a company called Carrier IQ and it seems that it has low-level access to the system that allows it to spy on pretty much everything that you do with your handset. This, on the face of it, seems like an extremely serious breach of security, privacy and trust. ... it seems that Windows Phone handsets don’t have Carrier IQ installed.... There are a LOT of unanswered questions. I’m expecting an avalanche of press releases from a lot of carriers and handset makers over the next few days.

• UK carriers deny using controversial smartphone tracker
  Information Age, 1 December 2011

  the UK's two largest mobile carriers, O2 and Vodafone, say their handsets do not carry the software. "We do not collect any data via Carrier IQ," an O2 spokesperson told Information Age, while a Vodafone spokesperson said: "We do not add Carrier IQ to the software on the handsets that we sell to our customers."... A spokesperson said that Orange doesn't validate Carrier IQ "or any similar service" on customers' handsets.

  But before smart phone users in the UK heave a sigh of relief, I urge you to ask: which spyco do UK telcos use instead of Carrier IQ for "diagnosis"?
• Researcher finds snooping smartphone software
  Smartphone security specialist claims Carrier IQ software captures Internet search queries, text messages, locations.
  AFP, 1 December 2011

  Trevor Eckhart exposed the workings of Carrier IQ in a video available online Wednesday as the California company behind the software defended it as a tool for mobile network operators. ... Eckhart wanted details regarding why the Carrier IQ software was vacuuming information about smartphone use and who they shared it with.

• RIM, Nokia deny use of Carrier IQ software
  Reuters, 1 December 2011

  Research In Motion does not install, nor authorize, its carrier partners to install "Carrier IQ" monitoring software on its BlackBerry smartphones, the company said on Thursday.... "RIM does not pre-install the Carrier IQ app on BlackBerry smartphones or authorize its carrier partners to install the Carrier IQ app before sales or distribution," RIM said. "RIM also did not develop or commission the development of the Carrier IQ application, and has no involvement in the testing, promotion, or distribution of the app."

  Strong stuff. But remember RIM's involvement in several incidents in which Blackberries were trojaned by MENA governments.
• Security Researcher Shows That -- Despite Carrier IQ's Claims To The Contrary -- CarrierIQ Records Keystrokes
  Mike Masnick, Techdirt, 1 December 2011

  Remember Carrier IQ?,,, Carrier IQ threatened researcher Trevor Eckhart with a copyright lawsuit ... Eckhart is back with a video showing how CarrierIQ's software does track keystrokes and sends them to a central server. He demonstrates it recording and sending data, even though Eckhart is logging into something using HTTPS. Of course, when the software is local and tracking keystrokes, HTTPS is meaningless.

• Bitdefender releases Mobile Security for Android devices
  Daniel Robinson, V3, 1 December 2011

  Romanian security vendor Bitdefender has announced a mobile security tool for Android devices, but it will not protect against threats embedded in the firmware such as the Carrier IQ application, only against Trojans or malware that attempt to infect the handset while in use.,,, f the software turns out to be doing something malicious then it is a matter between the carrier and customer, according to [Bitdefender Research Director Catalin] Cosoi. "But if it only sends details such as the user sent 20 messages and gave two phone calls today, that's not something that involves too much privacy. If it is forwarding the content of the text message itself, that would be a privacy issue," he said.

A good tip for cell phone users: remove the battery and keep it in your pocket; only put it into the phone when you are actually checking messages. This will blunt both geolocation tracking and also will greatly reduce the chance of an inquisitive spook using your phone as an always-on audio surveillance device (a possibility which has been known for more than a year).

I urge all cell phone and smart phone users to call your telecom and administer EFF's test questions, adding some about Carrier IQ or similar "diagnostic" spyware. Remember, Carrier IQ is just one of several companies which specialize in smart phone snooping, and remember that telecoms and spycos try hard to disguise what they are doing under such harmless sounding euphemisms as "diagnostics". Ask tough questions; look under the hood.

[Ahtiga Saraz]

The Carrier IQ scandal continues:

• US Senator demands answers from Carrier IQ
  Al Franken calls smartphone tracker on the carpet
  Dan Goodin, The Register, 1 December 2011

  Code: Select all

  www.theregister.co.uk/2011/12/01/al_franken_carrier_iq/
  

  Senator and former late-night funnyman Al Franken has called on Carrier IQ to explain why its diagnostic software, buried in the bowels of 141 million smartphones, isn't a massive violation of US wiretap laws.

  Franken's questions for Carrier IQ:

  • Does Carrier IQ software log users’ location?
  • What other data does Carrier IQ software log? Does it log:
    • The telephone numbers users dial?
    • The telephone numbers of individuals calling a user?
    • The contents of the text messages users receive?
    • The contents of the text messages users send?
    • The contents of the emails they receive?
    • The contents of the emails users send?
    • The URLs of the websites that users visit?
    • The contents of users’ online search queries?
    • The names or contact information from users’ address books?
    • Any other keystroke data?
  • What if any of this data is transmitted off of a users’ phone? When? In what form?
  • Is that data transmitted to Carrier IQ? Is it transmitted to smartphone manufacturers, operating system providers, or carriers? Is it transmitted to any other third parties?
  • If Carrier IQ receives this data, does it subsequently share it with third parties? With whom does it share this data? What data is shared?
  • Will Carrier IQ allow users to stop any logging and transmission of this data?
  • How long does Carrier IQ store this data?
  • Has Carrier IQ disclosed this data to federal or state law enforcement?
  • How does Carrier IQ protect this data against hackers and other security threats?
  • Does Carrier IQ believe that its actions comply with the Electronic Communications Privacy Act, including the federal wiretap statute (18 U.S.C. § 2511 et seq.), the pen register statute (18 USC § 3121 et seq.), and the Stored Communications Act (18 U.S.C. § 2701 et seq.)?
  • Does Carrier IQ believe that its actions comply with the Computer Fraud and Abuse Act (18 U.S.C. § 1030)? Why?

  Those are excellent questions. Just one worrisome point: spycos typically tout the configurability, versatility, adapatability of their surveillance products, and Carrier IQ's rootkit seems to be no exception. Thus, the first set of questions should have been written to avoid letting Carrier IQ avoid direct answers, or inviting them to fail to disclose that the carriers apparently have great freedom in how they configure and reconfigure the rootkits, all without notice to the consumer into whose private lives they are intruding so deeply. For example, recent revelations suggest that the carriers are free to decide whether they want to record and transmit (re-encrypted to be readable only by the carrier) the pre-encrypted content of encrypted SMS text messages.
• How to disable Carrier IQ on your iOS device
  Jason Cipriani, CNET, 1 December 2011

  With Carrier IQ having now been found in iOS, you may feel more comfortable knowing you can disable any logging or reporting done by the service on your iPad, iPod Touch, or iPhone in just a few steps. Update: As pointed out in the comments below, it looks like the ability to disable these logs from automatically being sent is restricted to iOS 5.

• What does Carrier IQ do on my phone--and should I care? (FAQ)
  Elinor Mills, CNET News, 1 December 2011

  Carrier IQ is software that comes pre-installed on certain handheld devices. It collects usage data that mobile operators and device manufactures analyze so they can make hardware, network and service improvements, according to Carrier IQ. It runs all the time and cannot be turned off, although it can be removed by unlocking the phone and gaining administrator access, which typically voids the warranty...Carrier IQ says its software is embedded in more than 130 million phones globally but doesn't name its customers. Eckhart used an Android-based HTC EVO for his video demonstration and said it was also in Samsung, Nokia, and BlackBerry phones and on Sprint and Verizon.... [Carrier IQ executive] Coward said that Carrier IQ transmits data in encrypted form. The data can be sent to either Carrier IQ's network or the carrier's network, and it is typically stored for 30 days, he added. The carriers are pretty much free to do what they want with it, including conceivably sell it or share it with third parties, Coward said. "They are in control of the data," he said. "We have no rights to it."

• Carrier IQ gives the game away
  Rupert Goodwins, ZDNet, 2 December 2011

  It is the stuff of nightmares. A hidden piece of software called Carrier IQ is discovered in millions of mobile phones. It seems to be monitoring everything the unsuspecting users do — keystrokes, calls, emails, texts, web browsing, location sensing — and there's no way to turn it off... Cue the outrage. For a while, it seems as if the discovery of the true nature of Carrier IQ makes it even worse than being hacked by the People's Liberation Army Third Department's Seventh Bureau (61580 Unit) — the Beijing equivalent of GCHQ. Spies and criminals, well, they're supposed to attack us: when our mobile networks do it, that's betrayal. But while the nature and distribution of Carrier IQ is undisputed, its intention is not so clear. Claims and counterclaims continue, but the most generous interpretation of its existence is also the most likely: it is there, as its creators say, to gather anonymous data to help the networks spot problems and optimise their systems.

  I remain suspicious about the ultimate aims of Carrier IQ and its secret business partners, but Goodwin offers some salient advice to telecoms and ISPs:

  If what you're doing is legitimate, educate the users on how they benefit from opting in; if you can't persuade them, you shouldn't be doing it.

  To which I'd add: this data is not merely documenting in minute detail the consumer's private life, to a rapidly increasing extent it is the consumer's private life. It follows that the consumer, not the spyco or the carrier, owns the data, and the consumer should have absolute knowledge and control over where it all goes and what is done with it and why.
• Carrier IQ VP: App on millions of phones not a privacy risk
  Like tiny fish through a net, key taps dropped from memory
  Dan Goodin, The Register, 2 December 2011

  Code: Select all

  www.theregister.co.uk/2011/12/02/carrier_iq_interview/
  

  More than 48 hours after a software developer posted evidence Carrier IQ monitored the key taps on more than 141 million smartphones, a company official has come forward to rebut the disturbing allegations. And he's provided enough technical detail to convince The Register the diagnostics software doesn't represent a privacy threat to handset owners.

  I think it's much too early to reach that comforting conclusion, but:

  His version of the software has been confirmed by Dan Rosenberg, an Android security researcher who has reverse engineered Carrier IQ and examined the underlying machine language. He said he took the undertaking after viewing a video demonstration posted on Monday that showed the software echoing the precise key taps developer Trevor Eckhart typed into his HTC EVO handset.

  If Carrier IQ is so harmless, why did the company react to Eckhart's revelations with dire legal threats instead of by inviting Dan Rosenberg to audit their software, and by inviting Privacy International to audit what their business partners do with all that data? I believe that these counterclaims by Carrier IQ (and Dan Rosenberg, who is known to me as a respectable researcher) raise more questions than they answer. The article continues with an extensive interview with the Carrier IQ executive.
• Carrier IQ Admits Holding ‘Treasure Trove’ of Consumer Data, But No Keystrokes
  David Kravets, Wired, 2 December 2011

  Code: Select all

  www.wired.com/threatlevel/2011/12/carrier-iq-data-vacuum/
  

  An embattled phone-monitoring software maker said Friday that its wares, secretly installed on some 150 million phones, have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received.... the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. The data, which gets downloaded from consumers’ phones roughly once a day, is encrypted during transit and also provided to carriers to enhance the “user experience,” these executives said.

  The problem is, no-one asked the consumers whether they approve of deep intrusions into their private lives as "improving their user experience".

  [Carrier IQ marketing executive] Coward also emphasized that the software does not know the content of websites or apps or text messages or phone calls, but acknowledged that it does transmit website addresses to some carriers as a diagnostic tool.

  "All testing all the time", eh?

  [Coward said] “We certainly recognize that as a future thing for advertising, clearly having that information from a marketing perspective is very interesting.”

  Recall that when the small spyco HBGary Federal, which had close ties to the US Federal government, got into financial trouble (the feds decided its surveillance tools sucked), then CEO Aaron Barr did not hesitate to hawk his remote surveillance and intrusion skills to a law firm (Hunton and Williams) with ties to big banks and the U.S. Chamber of Commerce, a law firm whose clients evidently wanted to discredit Wikileaks supporters in advance of then rumored email leak implicating BoA executives in knowing involvement in nearly toppling the global economy by fostering the mortgage meltdown.

  Since the company is getting the URLs from the phone, they are able to record encrypted search terms such as

  Code: Select all

  https://www.google.com/#hl=en&sugexp=ppwe&cp=3&gs_id=p&xhr=t&q=abortion+clinics
  

  This is one of the hardest points to get across: too often, the most dangerous information is often included in the urls themselves. The "content" is the "headers". This is crucial to bear in mind when studying US laws on data interception, including "lawful interception" [sic].

  Some carriers might want the text-message data, for example, only when certain conditions are met, such as when a text doesn’t go through to the intended recipient.

  So, hypothetically, if an ISP employee wants to read SMS communications to his ex-wife, he needs only ensure that the messages are not delivered to her. Then Carrier IQ will ensure he reads the unencrypted content, so he can prevent her from meeting her new boyfriend. Given that coppers have often been caught misusing their access to "secure databases" for such purposes, it does not seem to greatly stretch the imagination to infer that telecom and ISP employees also abuse their secret powers to snoop on celebrities or personal enemies.

  Some carriers collect the the data on an anonymized basis...But other carriers collect data that lets them drill down to the individual phone, providing customer-service representatives with vast tools to assist complaining customers.

  And don't forget that the carriers are free to arbitrarily change their policies at any time, and in no case of which I am aware did any carrier make any genuine effort to educate their customers about what Carrier IQ is doing for them (or for local governments?) and why.

  its data center is encrypted. “It’s highly secure,” he said.

  HBGary's servers were also "highly secure". SMS messages are encrypted, but Carrier IQ knows how to evade that, doesn't it? IMO such assurances that no-one could ever under any circumstances inappropriately obtain or misuse this data are utterly worthless.

  The software runs hidden from users, who generally can’t find it or uninstall it without very sophisticated knowledge or by switching out the operating system by “rooting” their phone and flashing an alternative operating system.

  I hope Kravets and other reporters continue to stress this point, because I think this is really the key: Carrier IQ is currently in hot water because its business model (as is the case for other spycos) is diametrically opposed to the principles of "business transparency" and "consumer choice". Unfortunately, when spycos use the word "transparency", as in "transparent to the user", they always mean invisible to the consumer, and that is really the point. Espionage is furtive, clandestine, sneaky, devious; spying on citizens is conduct unworthy of gentlemen.

  Asked if the company has been approached to perform services deemed “unethical,” Coward quipped: ”Not yet.”

  I don't think I like Mr. Coward very much. And I don't believe his denials. I hope Senator Franken investigates and that the FTC requires continuous mandatory external auditing by organizations such as Privacy International of the surveillance activities of Carrier IQ and all its business partners. And who are those partners, anyway? Inquiring minds desire to know.

Regarding the rather different tone of the most recent articles from The Register and from Wired, I note that while reporter Dan Goodin is in San Francisco, The Register itself operates from the UK, where libel laws favor wealthy individuals and companies seeking to suppress "negative reporting". By contrast, Wired operates from the US, where libel laws look more kindly on the freedom of the press, in particular on news reports held to be "in the public interest", which I obviously think applies to the issues I am discussing in this thread. Recall also that Carrier IQ's initial reaction to Trevor Eckhart's revelations was to threaten to sue him for libel (fortunately, he is in the US and the US-based EFF came to his defence, and Carrier IQ backed down from those threats).

Another point which should be borne in mind: a number of telecoms and ISPs appear to essentially be front companies for intelligence agencies. These are mostly small, but one the largest is primarily a international spyco. In the USA, telecoms which were founded using grant money from In-Q-Tel are obvious candidates for suspicion of acting as front companies. I do not yet know what to make of many indications that these telecoms appear to do a great deal of business with spammers and other low-grade criminal operations. But I can say that the US CIA has long had a preference for front companies which actually make a profit, and historically that agency has not hesitated to cooperate with criminal organizations.

[Ahtiga Saraz]

New revelations about Carrier IQ's rootkit keep appearing:

• Apple, Nokia and RIM distance themselves from Carrier IQ saga
  Don't look at us, Guv'
  Lawrence Latif, The Inquirer, 2 December 2011

  MOBILE PHONE MAKERS Apple, Nokia and Research in Motion (RIM) are distancing themselves from Carrier IQ as the controversy over the firm's analytical software heats up.... Yesterday Apple's IOS got some attention, with security researchers claiming to have found hooks for Carrier IQ software in IOS3, IOS4 and IOS5. Apple sent a statement to Allthingsd saying it plans to remove the software entirely in the future.

• Carrier IQ admits its software sees a lot of information but claims no rights over data
  Hints at a mobile operator control problem
  Lawrence Latif, The Inquirer, 5 December 2011

  MOBILE ANALYTICS FIRM Carrier IQ told The INQUIRER that its software does "see a great deal of information" and that it does "listen to SMS" [text messages]

  quite a change from their original claims!

  but that it has no rights over the data.... [Carrier IQ exectuve Andrew] Coward revealed Carrier IQ's software can be loaded on almost any device, usually at the request of mobile operators.... [Coward said:] "So certainly here in the US, unlike Europe, the operators have a lot more control over the devices in the portfolio meaning the operators end up selling the devices in the most part"...[but] in Europe, the amount of data that can be collected is less and that, "opt-in/opt-out [to tracking] is the difference between the US and European markets".

  Yet another illustration of why privacy advocates make such a fuss over op-in rather than opt-out schemes for regulating "commercial" surveillance.
• T-Mobile deploys Carrier IQ on BlackBerry, others
  Elinor Mills, CNET News, 5 December 2011

  The more the subject of Carrier IQ gets stirred, the more questions arise. Last week, BlackBerry maker Research In Motion distanced itself from the Carrier IQ controversy saying... [it has] "has no involvement in the testing, promotion, or distribution of the app. RIM will continue to investigate reports and speculation related to CarrierIQ." But a list of T-Mobile handsets that use Carrier IQ published by TmoNews has three BlackBerry models on it: BlackBerry 9900, 9360 and 9810.... That list of T-Mobile devices using Carrier IQ also includes the HTC Amaze 4G, Samsung Galaxy S II, Samsung Exhibit II 4G, T-Mobile myTouch by LG, T-Mobile myTouch Q by LG and LG DoublePlay.

• Why are Android anti-virus firms so slow to react on Carrier IQ?
  Release of eradication 'detection' apps 1 month on raises questions
  John Leyden, The Register, 8 December 2011

  Code: Select all

  www.theregister.co.uk/2011/12/08/carrier_iq_android_detection/
  

  Some Android anti-virus firms have begun releasing Carrier IQ detection apps, but only after the controversial software became a talking point on Capitol Hill ... and a month after a security researcher first discovered it... BitDefender said that Carrier IQ's mobile network diagnostic tool is "so deeply integrated with the device’s firmware [that] Carrier IQ Finder cannot remove it"... The whole episode leaves us wondering about the ability of Lookout or other Android anti-virus firms to flag up something potentially unwanted on devices, especially if it happens to be made by a commercial developer who might sue. We put this point to Lookout but weren't able to get a specific answer on whether or not it was up for contesting such actions.

  It's clearly unwanted by the majority of consumers, yet it's always there, always on, logging everything the user does with the phone, and it's ineradicable--- cell phone users everywhere are asking: how is this not a rootkit? Functionally speaking?
• Google's Schmidt denies working with snooping Carrier IQ
  It's the telcos, not Android
  Edward Berridge, Tech Eye, 9 December 2011

  Code: Select all

  news.techeye.net/security/googles-schmidt-denies-working-with-snooping-carrier-iq
  

  In what seems to be the strongest indictment of Carrier IQ, [Google CEO Eric] Schmidt described the software as a key-logger which stores keystrokes... He said he didn't like the way the software is pre-installed and collects data in the background to report back to operators, and that users are unable to disable it without completely wiping their smartphone. "We certainly don't work with them and we certainly don't support it," he told an internet freedom conference in The Hague

  But

  Unfortunately for Google, its Android software has been linked to Carrier IQ after a hacking expert released a video on YouTube showing his Android-powered HTC running the software.

• FOI request turns up Carrier IQ surprise
  G-men slurping snooped smartphone data?
  Richard Chirgwin, The Register, 12 December 2011

  Code: Select all

  www.theregister.co.uk/2011/12/12/carrier_iq_and_the_fbi/
  

  The Carrier IQ scandal is a gift that just keeps giving: a US FOI report suggests that the FBI is using data captured by the creepy smartphone snooping app. The discovery was made by FOI blog MuckRock, which asked for “manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ”. The FBI said “no”, but not because they didn’t have the information. Rather, the feds didn’t want to release the data because it could impact a current investigation: “I have determined that the records responsive to your request are law enforcement records,” the response states, “that there is a pending or prospective enforcement proceeding relevant to these responsive records; and that release of the information contained in these responsive records could reasonably be expected to interfere with the enforcement proceeding”

  Many privacy advocates have long charged that much of the dragnet surveillance in the USA takes place under the legal fiction that the surveillance is "simply a test of the equipment", and Carrier IQ data would seem to be well tailored for rampant abuse by US law enforcment agencies. But as Chirgwin notes, it is also possible that this response is related to the fact that Carrier IQ is itself under investigation by US regulatory authorities, and possibly under criminal investigation by the FBI. Very possibly, both hypotheses are true: the FBI has been extensively using Carrier IQ data for "intelligence purposes" (note well that it would probably be illegal to introduce any of it in a US court, but it is common for "Western" secret police agencies to gather intelligence knowing full well the "evidence" is inadmissable in court), and as a result of the recent hoopla, the FBI is now investigating Carrier IQ. But I tend to doubt the latter posssibility, given the apparent refusal of the FBI to investigate HBGary Federal for much more serious civil rights violations.
• FBI admits to using Carrier IQ data
  A tool for the men in black
  Lawrence Latif
  13 December 2011

  Code: Select all

  www.theinquirer.net/inquirer/news/2132102/fbi-admits-carrier-iq
  

  The FBI [stated] that although it compiles records through Carrier IQ, it is "only to the extent that the production of such law enforcements records or information". So the FBI is being cagey on how it uses the information that it receives through Carrier IQ's software, which is not that surprising, but given that we know what information is recorded it is possible to make educated guesses.

• FBI using Carrier IQ info for "law enforcement purposes," refuses to release records Jon Brodkin, Ars Technica, 13 December 2011

  Code: Select all

   http://arstechnica.com/tech-policy/news/2011/12/fbi-using-carrier-iq-info-for-law-enforcement-purposes-refuses-to-release-records.ars
  

  An enterprising advocate for openness in government has filed a Freedom of Information Act (FOIA) request to the FBI for all information the agency uses related to Carrier IQ, the company under fire for monitoring user activity on smartphones—and his request was flatly denied. The FBI claims data gathered by Carrier IQ software is exempt from disclosure laws because it is located in an investigative file that was "compiled for law enforcement purposes" and "could reasonably be expected to interfere with enforcement proceedings."... The FBI acknowledged receiving his request within a few days, and then issued a blanket denial, which cites a law exempting records from disclosure if releasing them could interfere with law enforcement proceedings. "In applying this exemption, I have determined that the records responsive to your request are law enforcement records; that there is a pending or prospective law enforcement proceeding relevant to these responsive records; and that release of the information contained in these responsive records could reasonably be expected to interfere with the enforcement proceedings," an FBI records management official named David Hardy wrote to Morisy.

I was horrified by another set of very recent stories. Up above, on 3 December 2011, I wrote

So, hypothetically, if an ISP employee wants to read SMS communications to his ex-wife, he needs only ensure that the messages are not delivered to her. Then Carrier IQ will ensure he reads the unencrypted content, so he can prevent her from meeting her new boyfriend. Given that coppers have often been caught misusing their access to "secure databases" for such purposes, it does not seem to greatly stretch the imagination to infer that telecom and ISP employees also abuse their secret powers to snoop on celebrities or personal enemies.

Tragically, a news story which made headlines barely one week after I wrote those words provided yet another example of this incresingly common scenario:

• Melton Mowbray policeman kills his wife and child after losing job
  Older daughter raises alarm as Tobias Day kills himself after attacking his partner and three children at family home
  Caroline Davies, The Guardian, 9 December 2011

  Code: Select all

  www.guardian.co.uk/uk/2011/dec/09/melton-mowbray-policeman-kills-wife-child
  

  A former police inspector killed his wife and six-year-old daughter and seriously injured his two other children in a frenzied attack before killing himself after being sacked last week for misusing his force computer systems.... Leicestershire police said Day had been dismissed following a misconduct hearing over "matters concerning honesty and integrity" and concerning the misuse of the force computer systems.

• Police officer kills wife, daughter, self
  UPI, 10 December 2011

  Police were called to Toby Day's house in Melton Mowbray after his older daughter, severely injured, ran from the house to a nearby school Thursday, The Daily Telegraph reported. They found Day, his wife, Samantha, 38, daughter Genevieve, 6, and a 13-year-old son, all with knife wounds. The parents and Genevieve died at a hospital. Sources told the Telegraph that Day, 37, was suspended when he was discovered using the national police computer to get information on a man he believed was his wife's lover and that he was fired last week.

Often, after such tragedies, surviving family members want to know what society can learn from such events. Could this tragedy and others like it have been prevented if the Surveillance State were dismantled? I wouldn't go that far, but I suspect that a study would show that while such incidents remain rare, their rate is rapidly rising, and there appears to often be a nexus to misuse of "law enforcement only" databases for spousal espionage.

The very fact that such detailed records of everyone's "private" lives is being (i) collected (ii) widely disseminated in governmental/police circles implies that databases can be abused, and if they can be, history shows that they will be.

US media ranging from Hollywood blockbuster film studios to Fox News tend to present police officers as larger than life superhero action figures. (Oddly enough, UK Surveillance State propaganda TV series tend to be more subtle.) I think that is unhealthy for society. Much better for everyone--- including the coppers themselves--- if society views police officers as human beings with human failings, who are held to a higher standard of behavior because of the special powers with which society has entrusted them, and who should not be penalized for recognizing that from time to time they may need psychological help due to the particular pressures of police work.

(Privacy advocacy and police work are two callings which certainly do tend to result in a certain "paranoia", and both privacy advocates and police officers are, unfortunately, not entirely unjustified in fearing that inimical persons may be stalking them. Just one of many ironies of the Surveillance State.)

Marital problems are said to be particularly prevalent among police officers (due to such factors as psychological trauma which spouse may find it difficult to understand, and long and sometimes family unfriendly and/or unpredictable work schedules), and the ready availability of psychological counseling could help police officers with troubled marraiges or other family issues to resist the temptation to misuse police databases. In principle, such resources are already available in most "Western democracies". In practice, it would require a profound change in police subculture in order for more police officers to take advantage of them.

[Ahtiga Saraz]

Carrier IQ continues to squirm in the hot seat, as company executives endure questioning by the FTC in the US capitol. Meanwhile, marketing executive Andrew Coward continues to issue what I can only characterize as misleading semi-denials. And the FBI gives further statements tending to imply that it has indeed been using information snagged by Carrier IQ, information apparently providing deep inspection of the private lives of an undisclosed number of Americans who have come under scrutiny for undisclosed reasons (very possibly, simply because they use the same brand of mobile phone as some suspected drugs smuggler, or something like that).

• Some Facts About Carrier IQ
  Peter Eckersley, EFF Deeplinks, 13 December 2011

  Code: Select all

  https://www.eff.org/deeplinks/2011/12/carrier-iq-architecture
  

  First, when people talk about "Carrier IQ," they can be referring to several different things...The huge amount of disagreement about various points, such as whether Carrier IQ logs keystrokes and text message content, is a result of using the term "Carrier IQ" to mean one of these four different things, as well as the fact that layers 3 and 4 vary on depending on which manufacturer built the phone, and which network it was customized for. Finally, there is an additional configuration file (called a "Profile") that controls the behavior of layer 2 and determines what information is actually sent from the phone to a carrier or other Carrier IQ client. Profiles are programs in a domain-specific filtering language; they are normally written by Carrier IQ Inc. to the specifications of a telco or other client.

  Very useful, as one would expect.
• Carrier IQ fights to clear name amid renewed privacy concerns
  Shaun Nichols, V3, 14 December 2011

  The company said that the IQ Agent software, which allows carriers to gather data on mobile platforms including Android, BlackBerry and iOS, does not collect information such as log files and MMS messages by default.

  But as their own marketing literature stresses, the Carrier IQ keylogger, IQAgent, is highly configurable on-the-fly by the customers of Carrier IQ, the mobile phone service providers.

  Carrier IQ claimed that Eckhart's findings were the result of an error which left some handsets in their debug settings, and that such components are not normally accessible to IQ Agent.

  Now they are trying to blame the victim: "it's your own fault that we spied on you, because when you started looking into what Carrier IQ is doing, you tripped the 'keylog everything' switch".

  The Electronic Frontier Foundation, which has been providing legal support and representation to Eckhart, said that Carrier IQ has yet to answer a number of important questions about IQ Agent. "The information that we need now is a complete history of all of the profiles that carriers have ever installed on their customers' phones, to learn what the carriers meant to collect. This would be a good place for regulators and others to start their inquiries," the Foundation said.

• Carrier IQ Explains Secret Monitoring Software to FTC, FCC
  By David Kravets, Wired, 14 December 2011

  Code: Select all

  www.wired.com/threatlevel/2011/12/carrieriq-ftc-fcc/
  

  Carrier IQ executives told Wired two weeks ago that the Mountain View, California company’s wares, secretly installed on some 150 million phones, have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received....The software maker said the data it vacuums to its servers from handsets is vast — as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, the company said, the software is not logging every keystroke.

  Except when it is, as in the case of Trevor Eckhardt's phone.
• Carrier IQ is being investigated by the US
  Looking into allegations over tracking software
  Kate O'Flaherty, The Inquirer, 15 December 2011

  US FEDERAL INVESTIGATORS are looking into allegations that Carrier IQ tracked users and sent details to mobile operators. According to the Washington Post, executives at Carrier IQ traveled to Washington on Tuesday and met with officials of the US Federal Trade Commission (FTC) as well as US Federal Communications Commission (FCC) officials.... In an interview with The INQUIRER, Carrier IQ's VP of marketing Andrew Coward said the firm uses location information so mobile operators can target specific demographics when collecting data. The firm has now provided an example of a heat-map generated through location tracking and it is not very hard to see how this information could be useful for law enforcement agencies.

• Carrier IQ exec says company has learned lessons
  Elinor Mills, CNET News, 14 December 12011

  CNET today talked to Andrew Coward, vice president of marketing at Carrier IQ, about The Washington Post report of an FTC probe. Coward acknowledged that the company had talked to the FTC and the Federal Communications Commission, but couldn't confirm that an official investigation had been launched. Curious as to what Carrier IQ executives think as they peer out from the center of the tornado, CNET asked Coward to reflect on what some reports have labeled a "scandal."

  AC admits that the "Cease and Desist" letter targeting security researcher Trevor Eckhart was a public relations disaster, but insists that Carrier IQ is a "legitimate business". Most observers appear to be--- this is an understatement--- unconvinced.
• Sprint disabling Carrier IQ on phones
  Elinor Mills, CNET News, 16 December 2011

  Sprint, which for weeks has defended its use of Carrier IQ software on mobile ph
  ones, is now disabling the software... Carrier IQ, Sprint, AT&T, and T-Mobile have said they use the software to diagnose problems and troubleshoot network failures. But critics--including Android developer Trevor Eckhart, who first exposed the workings of Carrier IQ on the phones last month--complain that consumers aren't aware that data is being collected from their phones and can't opt out. The critics also have raised alarms that content of messages and keystrokes are being logged, which Carrier IQ and the operators deny. Outside security experts also say they find no evidence of keylogging by the software. Carrier IQ's delayed response in releasing details added fuel to a firestorm already stoked by Carrier IQ's filing a cease-and-desist notice against Eckhart shortly after he went public with his concerns. The company eventually backed down and apologized, but to many people it seemed like the company had something to hide.

  Indeed. And the US FBI has admitted that it has something to hide concerning its relationship to the data collected by Carrier IQ, supposedly for "harmless diagnostics". (Oh, really?)
• The Complete List of All the Phones With Carrier IQ Spyware Installed
  Gizmodo, 16 December 2011

  AT&T, Sprint, HTC, and Samsung have sent the list of all the phones with Carrier IQ spyware installed in them...

  • AT&T: ... about 900,000 users using phones with Carrier IQ....
  • Sprint: ... almost half of all their subscribers, 53.4 million customers...
  • Samsung: ... 25 million phones affected
  • HTC:... preinstalled Carrier IQ spyware on about 6.3 million Android phones

  The list of devices known to be affected includes phones made by Amaze, Audiovox, EVO, Hero, HTC, Huawei, Kyocera, LG, Motorola, Novatel, Palmone, Pantech, Samsung, Sany, SEMC, Sierra, Snap, Touch Pro, Vivid, and ZTE. Among major US cell phone providers, it seems that only Verizon does not use Carrier IQ, but I assume this means they use another "diagnostics" spyco. Among phone manufacturers, similarly for Microsoft.
• Mobile Carriers Claim Consumer Consent to Carrier IQ Spying
  David Kravets, Wired, 16 December 2011

  Code: Select all

  http://www.wired.com/threatlevel/2011/12/telcos-say-you-consented/
  

  Americans consented to secretly installed software on 150 million mobile phones that logs what apps they use and what websites they visit and who they communicate with, according to mobile-phone makers and carriers.

  The sheer, unmitigated gall of these corporations truly takes my breath away.

  The software runs hidden from users, who generally can’t find it or uninstall it without very sophisticated knowledge or by switching out the operating system by “rooting” their phone and flashing an alternative operating system. While legal, rooting almost always voids a phone’s warranty. What data is sent to Carrier IQ and the carriers depends on how much data the telcos want. Some carriers might want the text-message data, for example, only when certain conditions are met, such as when a text doesn’t go through to the intended recipient.

  Not only that, but as I understand it, cell phone providers can easily implement different levels of spying for different customers. Perhaps at the warrantless behest of the FBI?